Installer still present

[Michael]

I think the 'Installer still present' red error box should be moved from the main ACP page to the Security Center page. It just seems to me to be something that fits in with the other Security options on that page.

[Brandon C]

But it certainly gets one's attention enough to do something about it.

I personally think you shouldn't be allowed to login to the ACP unless you have deleted the /install directory.

[harmor]

You can still access the ACP even if the installer wasn't deleted?
I think IPS should force people to delete it before they can access the control panel.

[Keven Fox]

Doesn't really matter to me at all, I have enough sense to delete the directory :)

[UBERHOST.NET]

I say move it to the Security Center page, then make that page come up default when there is a security issue to fix.

[Michael]

You don't really need to remove the whole directory, just the index.php file. And even then, they'd need your password to do any damage.

[Mat Barrie]

And as a side note, the manual tells you NOT to delete the install directory. It says you should delete index.php, but that is IT.

[Keven Fox]

It doesn't hurt, I've had no problems deleting the directory :P

[Microo]

It won

[harmor]

It won

[Brandon C]

Doesn't really matter to me at all, I have enough sense to delete the directory :)

Same here, but some people do not. I always delete the install and upgrade directories after each install/upgrade. :)

I was just suggesting it as I felt IPS should implement that in as an added security feature.

[Microo]

That's why there should be a message saying "index.php is still present in the install directory."

If you're not smart enough to delete a file than you're not smart enough to install IPB in the first place.

Exactly, my point was that they shouldn

[richstar]

I would go one step further and prohibit use of the board entirely until the install.php file is removed from the installation directory. If people do not understand that an important part of the installation is to remove the installer before going "click to log in" then they really shouldn't be doing the install IMO.

[dwhitehouse]

That may sound good in theory, but if people try to connect to your board and cant access it, its 1 of 2 things. You have turned it off, or you forgot your installer, and then in that case they may just go and reinstall your forum.

I like the idea of moving it to the security panel, and when there is a security update it loads that page first. +1

[Brandon C]

That may sound good in theory, but if people try to connect to your board and cant access it, its 1 of 2 things. You have turned it off, or you forgot your installer, and then in that case they may just go and reinstall your forum.

I like the idea of moving it to the security panel, and when there is a security update it loads that page first. +1

Well it would tell them that they needed to remove the install/index.php file or the install directory before they could continue.

[RaDiOAcTiVe]

i think differently. i think that it attracts more attention on the admin page. maybe you can do both since it is a good idea...

[PolakTom101]

I thnik it should stay. I noticed when installing IPB 2.2 over and over since i missed around with it to much I usually forgot about install/index.php file so it's nice when u login into the ACP it stands out there and not in the Help & Supprot Section where u don't vistit to often.

[richstar]

I guess its a question of letting the admin know they have left the installer in play, but not letting anyone else know. That's why it's important that a board not be left too long in it's default state, even if the admin creates five or six accounts and makes spurious posts to give anyone the idea it is a fully installed board actively in use rather than a just installed board so they go looking for the /install/index.php file.

In any case IPB requires the admin to have created a database prior to installation.

I would leave it in the ACP in that case. I now appreciate the subtlety of not advertising the fact to the world that the installer is still there.

[Mat Barrie]

Bearing in mind that even with the installer present, it will not run with install.lock present anyway :)

If an exploiter can remove that file, they have the potential to do more damage than resetting your posts and the like.

[Michael]

Exactly. Is not deleting it a security risk? Sure. Is it as risky as leaving the CHMOD of conf_global.php at 777? I wouldn't think so. I just think this setting deserves to be on the Security Center page along with all other similar security threats from the files/settings on the board.

[Strange_Will]

Doesn't really matter to me at all, I have enough sense to delete the directory :)

There are other files in the install directory used in the skin tools for rebuilding things.

I found that out the hard way ;)

[Mat Barrie]

There are other files in the install directory used in the skin tools for rebuilding things.

I found that out the hard way ;)

I assume Reversion requires the original Skin SQL in that directory or some such. It makes sense, why duplicate data in the database?

[Quillz]

I would go one step further and prohibit use of the board entirely until the install.php file is removed from the installation directory. If people do not understand that an important part of the installation is to remove the installer before going "click to log in" then they really shouldn't be doing the install IMO.

I agree. With vBulletin, you are forced to remove the installation files before you are allowed access to the ACP. This would be a good idea for IPB to adopt, as well.

[Mat Barrie]

I agree. With vBulletin, you are forced to remove the installation files before you are allowed access to the ACP. This would be a good idea for IPB to adopt, as well.

Except that certain ACP functionality requires the Installation files to be present. (With the obvious exception of Index.php)

IPB locks the installation out unless install.lock is removed anyway, and like I said before - if an exploiter is able to remove install.lock, you have bigger problems on your hands than them running the installer.

[Quillz]

Except that certain ACP functionality requires the Installation files to be present. (With the obvious exception of Index.php)

IPB locks the installation out unless install.lock is removed anyway, and like I said before - if an exploiter is able to remove install.lock, you have bigger problems on your hands than them running the installer.

I know that you need the /install/ file. You should be locked out of the ACP for the first time until you remove /index.php, like what vBulletin already does.